JSON web token based authentication in Django

A brief description of how the JWT authentication is implemented in Django …


  • What is JWT and how it works?
  • Using JWT authentication in Django

JSON Web Token (also pronounced as jot):

Conventionally websites used cookie-based authentication which was stateful i.e, both the client and the server had the session information stored on them but in a typical REST framework, the server does not keep client’s state, unlike cookie-based authentication.Hence, the token-based authentication which is stateless comes into the picture where the client keeps the information required for authentication in the form of a token and there’s no need for server-side storage.While there are many ways to create tokens, JWTs have become a standard for making authentication token. Before diving into authentication in Django let’s first demystify what actually JWT is and how JWT authentication works.

How it works ?-

Let’s take a real-life scenario where a customer wants to enter a mall. Just before the entrance he has to keep his luggage at the counter outside the mall where he can get a space for his luggage after he receives a token which contains the information of the slot where his luggage(i.e, his resource) is kept. Next time he comes he has to show this token to get the item stored in the slot mentioned in the token.
Similarly, token-based authentication is used to access REST APIs and here’s the diagram showing how JWT is used to implement the same:-

Why JWT ?

  • JWTs work across different programming languages like .net, python, nodejs, java, php.
  • Used to securely communicate JSON objects over unsecured connections like HTTP.
  • JWTs are self-contained entities i.e, they can carry all the basic information about themselves, the user they are associated to as payload and the signature.
  • Perfect for use inside an HTTP header when authenticating an API.

JWT’s Structure-

JSON Web Token comprises 3 strings separated by “.” as follows where each part is encoded with base64url encoding :


The HEADER portion :


A header is a JSON object which declares that the encoded object is a JWT token which is MACed using the HMAC SHA-256 algorithm in the following manner:

  • { "typ":"JWT", "alg":"HS256" }

Here,typ and alg are the strings and

-“typ” specifies the type of token used ,
-“alg” denotes the type of algorithm used to sign the token.

The PAYLOAD portion or JWT Claim-set :


A payload is a JSON object that consists of user-defined attributes(called public claims). There are some pre-defined attributes in the standard also known as reserved claims.

JWT Signature :


JWT signature is the hash of following components:

  • header
  • payload
  • “SECRET” ( A signature held by server )

i.e, signature is an encoded header and payload signed with a “SECRET”

This is how we get it:-

var encoded_string = base64URLEncode(header)+”.”+base64URLEncode(payload)

Signature = HMACSHA256(encoded_string,”SECRET”)

JWT in short is :- encoded(header)+encoded(payload)+signature(that is already encoded).

Creating JSON Web token in python :-

First we have to install Python pyjwt library and then using pyjwt:

>>> import jwt
>>> encoded_token = jwt.encode({‘user_id’: “abc”}, ‘SECRET’, algorithm=’HS256')
>>> encoded_token

Decoding the above created token on server:

>>> jwt.decode(encoded_token, ‘SECRET’, algorithms=[‘HS256’])
{’user_id’: ’abc’}

Using JWT authentication in Django:

Implementing JWT authentication in Django basically requires following three steps:

  1. A Login view that takes user’s username and password and creates a token with user information corresponding to the passed credentials as payload and returns it to the browser.

2. Next time browser makes any API request it has to send the token in Auth Headers to authenticate itself.

Authorization Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjp7ImlkIjoiNTlhZDFmZTI0MDVkNzk0YTFkYWQ2YmFkIiwiZGlzcGxheV9uYW1lIjoiQWRtaW4iLCJyb2xlX3R5cGUiOiJhZG1pbiJ9LCJpZCI6IlwiNTliYmJjODc0MDVkNzk0NjYwNGEzZjUyXCIiLCJlbWFpbCI6Imp5b3RpZ2F1dGFtMTA4QGdtYWlsLmNvbSJ9.oGA-goFi7ee6DdKn0Z4sctomaY6Ki0mfuJfxT4OK9WA

3.The server will validate the token and allow the browser to access API protected with authentication class based on validation results.